Modelling an Emergency Vehicle Early-Warning System using ... · ﬁre trucks and police vehicles) face a growingrisk to their occupants’ personal safety while approaching the scenes

Int. J. Intelligent Information and Database Systems, Vol. x, No. x, xxxx 1

Modelling an Emergency Vehicle

Early-Warning System using Real-time

Feedback

Aline Senart*, Melanie Bouroche and

Vinny Cahill

Distributed Systems Group, Department of Computer ScienceTrinity College Dublin, IrelandE-mail: [email protected]*Corresponding author

Abstract: Emergency vehicles, while usually equipped with warningsirens and/or beacons, are still often impeded by other traffic and in-volved in numerous collisions. An effective warning system for alertingother vehicles that an emergency vehicle is approaching is therefore cru-cial. Current research is investigating the use of wireless communicationfrom emergency vehicles to warn other traffic. However, communicationin dynamic wireless networks is not reliable. In this paper, we proposea novel emergency vehicle early-warning system that relies on wirelesstechnology to inform other vehicles of the arrival of emergency vehi-cles, and returns feedback in real-time when communication degrades.When such a situation happens, emergency vehicles are informed thatsome vehicles may not have been warned and should therefore slow downto negotiate traffic safely. We describe how such a system is built withComhordu, a coordination model for wireless networks.

Keywords: Emergency vehicle warning system, wireless ad hoc net-work, real-time feedback, coordination.

Reference to this paper should be made as follows: Senart A., BourocheM. and Cahill V. ‘Modelling an Emergency Vehicle Early-Warning Sys-tem using Real-time Feedback’, Int. J. Intelligent Information andDatabase Systems, Vol. x, No. x, pp.xxx–xxx.

Biographical Notes: Aline Senart is a Senior Research Fellow in theDistributed Systems Group at Trinity College Dublin. She received anM.Sc. in Computer Science, Systems and Communication from JosephFourier University in 2000 and her Ph.D. in Computer Science from INPGrenoble in 2003. Aline’s Ph.D. work was on dynamically reconfigurableoperating system kernels with application to active networks. Her cur-rent research interests are in middleware architectures and programmingmodels to support mobile and context-aware applications ranging fromintelligent transportation systems to emerging global supply chain man-agement.

Melanie Bouroche is a Ph.D. student in the Distributed Systems Groupat Trinity College Dublin. She was awarded a ”Diplome d’Ingenieur enTelecommunications” by INP Grenoble, France, and an M.Sc. in Com-

Copyright c© 200x Inderscience Enterprises Ltd.

2 A. Senart, M. Bouroche and V. Cahill

puter Science (Networks and Distributed Systems) from Trinity CollegeDublin in 2003. Her research interests include distributed systems, andin particular, middleware for sentient computing, and real-time coor-dination of mobile autonomous entities. Melanie’s thesis presents anapproach to systematically translating system-wide safety constraintsinto requirements on the behaviour of autonomous mobile entities.

Vinny Cahill holds a Personal Chair in Computer Science and is a Sci-ence Foundation Ireland investigator at Trinity College Dublin where healso serves as Director of Research for Computer Science and Statistics.His research addresses many aspects of distributed systems, in partic-ular, middleware and programming models for ubiquitous and mobilecomputing with application to intelligent transportation systems andpersonal healthcare/independent living. He has over 100 peer-reviewedpublications in international conferences and journals and was a found-ing editorial board member of IEEE Pervasive Computing Magazine andeditorial board member of IEEE Distributed Systems Online.

1 Introduction

As traffic volumes increase on roads, emergency responders (e.g., ambulances,fire trucks and police vehicles) face a growing risk to their occupants’ personal safetywhile approaching the scenes of accidents. While usually equipped with sirensand/or beacons, the sudden appearance of emergency vehicles can be extremelydisruptive to nearby vehicles. Corporation (2002) reports that emergency vehiclecrashes occurring while responding to emergencies represent one of the major causesof injuries and deaths of professional responders. Moreover, warning lights andsirens, which are traditionally used by emergency service providers when called toaccidents, are time-saving (Brown et al., 2000) but leave little time for vehiclesto maneuver to get out of the way. Some drivers become confused and createconflicts with other drivers that can block lanes and increase vehicle response times.However, every minute counts in emergency situations. For example, when a persongoes into defibrillation, waiting for an emergency vehicle to arrive eats away precioustime (Eisenberg, 1998). An effective early-warning system for alerting the drivers ofother vehicles (or in the future notifying autonomous vehicles) that an emergencyvehicle is approaching is therefore crucial.

Radio signaling systems can also be used to provide advanced warning of anapproaching emergency vehicle, thereby potentially reducing traffic accidents byincreasing the awareness of the surrounding vehicles. Such a warning system canbe very effective as information about the arrival of an emergency vehicle can berelayed by the roadside infrastructure or the vehicles themselves, and this beyondthe driver’s horizon (Santos et al., 2004; Little and Agarwal, 2005; Farkas et al.,2006).

Current research is therefore investigating the use of wireless communication foremergency vehicles to notify traffic lights and private and public transport vehiclesof their arrival (Miyawaki et al., 1999; Durresi et al., 2005). While these warningsystems contribute to safer and more efficient roads, wireless communication is notreliable in dynamic vehicular networks characterised by high mobility and speed

Modelling an Emergency Vehicle Early-Warning System using Real-time Feedback 3

(Yin et al., 2004). If transmissions are delayed or lost, the safety of emergencyvehicles and other vehicles can be compromised. To allow vehicles to make safeprogress in the presence of unreliable communication, it is necessary to informthem when timely information cannot be provided.

In this paper, we propose a novel emergency vehicle early-warning system thatrelies on wireless technology to inform private and public transport vehicles of thearrival of emergency vehicles and returns feedback in real-time to emergency ve-hicles about the maximum speed at which they can safely drive. Therefore, whenreal-time communication cannot be guaranteed, emergency vehicles are informedthat nearby vehicles may not be warned within a suitable time bound. They thenhave the possibility of adapting their behaviour to ensure that road safety con-straints are not violated, for example, by slowing down to negotiate traffic safelywhile still using traditional warning systems.

We describe how such a system is built with Comhordu (Bouroche et al.,2006a,b), a decentralised coordination model for wireless networks, in which mo-bile entities coordinate their behaviour to ensure that application-specific safetyconstraints are never violated. This coordination model builds on a real-time com-munication model for wireless networks, known as the space-elastic model (Hughes,2006), that provides feedback to entities about the state of communication. Withthe coordination model, entities can use this feedback to ensure that the safetyconstraints are always satisfied, by adapting their behaviour when communicationis limited.

The remainder of this paper is structured as follows. In Section 2, we reviewrelated work on emergency vehicle warning systems, autonomous vehicles and co-ordination models. In Section 3, we describe the space-elastic model for real-timecommunication in wireless networks. In Section 4, we present Comhordu, a co-ordination model in which safety constraints are not violated even in the face ofpossible communication failures, while in Section 5 we describe how the emergencyvehicle early-warning system using real-time feedback is built with the coordina-tion model, and show that warning sytems with feedback allow emergency vehiclesto drive faster than without feedback when wireless communication is sufficientlygood. Finally, Section 6 concludes this paper.

2 Related work

Emergency vehicles generally depend on sirens, horns, flashing lights or someother type of audible or visible alarm to alert other vehicles in the area as theyapproach. A few systems have been proposed or patented that use radio commu-nication to provide additional warnings (Mayhew and Shirkey, 1992; Code et al.,2006; Ewing and Zubiel, 2006), some of which have been commercialised (NASA,2001). Other systems use wireless communication to provide automatic remotecontrol of traffic lights at intersections, so as to switch to a green light for the di-rection of the approaching emergency vehicle and to a red light for opposing traffic(Miyawaki et al., 1999; Casturi, 2000; Dotzer et al., 2005; Transportation ResearchBoard, 2006).

Similar work can be found in the broader area of autonomous vehicles. Thechallenges involved in realising this vision of driverless vehicles are similar to those


faced by the development of emergency vehicle warning systems in terms of thetimeliness constraints on communication that are required. A number of projectshave been conducted in the autonomous vehicles domain and what was consideredscience fiction not long ago is now becoming a reality. Prototypes have been de-signed that are able to overtake a slower vehicle, cross an unsignalised junction andavoid collision with other vehicles (Kolodko and Vlacic, 2003; Baber et al., 2005;Pallottino et al., 2007). A similar scenario is also presented in (Mock, 2004), whererobots coordinate their actions to cross a shared road section.

There have also been numerous efforts addressing the coordination/cooperationof mobile entities. A communication architecture for the cooperation of autonomousvehicles is presented in (Nett et al., 2001) and detailed in (Schemmer et al., 2001),however their approach is limited to infrastructure-based networks. Similarly, ex-isting coordination models for mobile autonomous entities, such as Linda In MobileEnvironments (LIME) (Murphy et al., 2001) and EgoSpaces (Julien and Roman,2007) facilitate rapid development of mobile applications. EgoSpaces demonstratedthe usefulness of their middleware through the easy construction of an emergencyvehicle warning system that turns on a light on the dashboard of a car when thedriver needs to clear the road for an emergency vehicle.

In all this work, either reliability of communication is assumed, or unreliabilityis tackled by retransmission of signals until correct reception (may be infinite). Inboth cases, timely message delivery cannot be assumed. Therefore these approachescan only increase the probability that vehicles are warned in advance of the arrival ofemergency vehicles. However, as only a best-effort service is provided, emergencyvehicles do not have guarantees that vehicles are warned (some signals may bedelayed or never arrive). Therefore, the speed of emergency vehicles is still limitedby their line of sight as they have to be ready to stop in case some vehicle did notreceive the message and free the way.

Finally, recent advances in wireless technologies provide new opportunities foradvanced emergency vehicle early-warning systems. In particular, Dedicated ShortRange Communication (DSRC), a short- to medium-range wireless protocol specif-ically designed for automotive use, offers the potential to effectively support high-speed inter-vehicle and vehicle-to-roadside communications (Xu et al., 2004). DSRCis already used in electronic toll collection, electronic credentialing and monitoringof commercial vehicle operations and could be applied in many different other sce-narios including warning systems (Tsugawa, 2002; Lee et al., 2004). However, toour knowledge, no such system has been designed so far that provides the kind offeedback required by emergency vehicle warning systems.

3 Space-elastic model

The space-elastic model (Bouroche et al., 2006a; Hughes, 2006) is a model forreal-time communication in wireless networks, including ad hoc networks. In thismodel, real-time communication is guaranteed within a geographical proximity ofthe sending entity. This proximity can be of any shape and can be defined eitherabsolutely (e.g., using GPS coordinates), or relatively around the entity (using ananchor point and a size).


3.1 Specifications

An entity wishing to send messages specifies the proximity within which it wantsits messages to be delivered. This proximity is called the desired coverage, andis used to bound message propagation. The entity also stipulates the maximumlatency, msgLatency, within which the messages must be delivered, and the desiredperiod for their transmission, named period.

Depending on the topology of the network (i.e., the distribution of the nodes andthe quality of the wireless links), it might not be possible over some period of timeto deliver a message in time to all interested entities within the desired coverage.Therefore, the size of the proximity in which timely delivery of messages is provided,called the actual coverage, changes over time. In the worst case, no communicationis possible; this corresponds to an actual coverage of size zero. The sender is notifiedin real-time of any expansion or shrinking of the actual coverage within a boundedtime, adaptNotif . Therefore, an entity knows within msgLatency + adaptNotif

after sending a message the area in which it has been successfully delivered, andcan adapt its behaviour accordingly. If the actual coverage becomes smaller thanone or more thresholds, called critical coverage(s), the sender might need to takeinto account that it cannot communicate in an area wide-enough to maintain safeoperation, and might need to adapt its behaviour. Possible variations of the actualcoverage around the desired and the critical coverages are illustrated in Figure 1.

3.2 Guarantees

An entity is said to be present within the actual coverage of a sending entityonce it is able to receive messages after arriving in communication coverage. Thistakes an implementation-dependent time, present, which is necessary to include theentity in the real-time routing protocol for example. The real-time communicationguarantees that the space-elastic model provides are therefore:

• to message senders: to be able to communicate within msgLatency in theactual coverage, and to be notified within adaptNotif if this coverage changes,

• to message receivers: to receive every message of the types in which theyhave expressed interest, if they are present within the actual coverage of themessage sender at the delivery time of this message.

The feasibility of the space-elastic model with low-jitter real-time communica-tion and time bounded adaptation notification has been demonstrated in real-worldsettings (Hughes, 2006). We show in the next section how the feedback describingthe revised actual coverage in which communication is guaranteed can be used toensure safety. This is the basis for the design of our emergency vehicle warningsystem with real-time feedback.

4 Coordination model

In this section, we introduce Comhordu (Bouroche et al., 2006a,b), a real-timecoordination model for mobile autonomous entities based on the notion of dis-tributed responsibility. We first present the formalism used to express high-level


system-wide safety constraints. We then show how these safety constraints aretranslated with Comhordu into requirements on the behaviour of individual enti-ties.

4.1 Specifying the safety constraints

Safety constraints typically include constraints on the actions and states ofentities, as well as their distance to each other. For example, a vehicle needs tocoordinate its behaviour with an emergency vehicle only when they are on thesame stretch of road. In this section, we introduce a formalism to define suchsafety constraints.

4.1.1 Scenario, modes and states

A scenario encompasses a set of entity types E1, E2, .., En, a goal, and somesafety constraints. In the emergency vehicle warning system, the entity types rep-resent emergency vehicles and other vehicles. The goal of the system is for emer-gency vehicles to drive as fast as possible to their destination, and for the othervehicles to make safe progress to their destination. The safety constraints are thatthe emergency vehicle should not crash into another vehicle.

The behaviour of an entity is described by a set of modes that describe theactions that can be taken, and the possible transitions between these modes. Tran-sitions between modes are instantaneous. For example, given the maximum velocityof an emergency vehicle vmax, and an increasing set of speeds {vi}i∈[1,n] with vn =vmax, the modes of emergency vehicles can be defined as: stopped, {going at vi,accelerating to vi, braking to vi}i∈[1,n]. Similarly, the behaviour of the othervehicles can be modelled with the modes travelling, getting out of the way,and out of the way. We denote the set of modes of entities of type Ei as Mi.

The situation of an entity at a given time is described by its state which encom-passes its mode, and some additional application-specific information, for example,the position of the entity. We denote the set of states of entities of type Ei as Si.The states of emergency vehicles and other vehicles encompass their mode, location,current speed and direction.

4.1.2 State compatibility

A set of states (s1, s2, ..., sn) ∈ S1×S2...×Sn is compatible, noted Cs(s1, s2, ..., sn),if the safety constraints are not violated when some entities are simultaneously inthese states. For instance, the states of an emergency vehicle and other vehiclesare compatible if they are far enough away. Also, the state of a vehicle that is offthe road is compatible with the state of any emergency vehicle.

4.1.3 Expressing the safety constraints

The safety constraints can be expressed as a set of incompatibilities betweenstates, including constraints on the relative distance of entities (noted distance(posi-tion1, position2)). For example, the safety constraint that emergency vehicles andother vehicles should not collide can be stated as:


Cs(sov, sev) iff q(

(distance(sov.position, sev.position) < d)

∧ (sev.mode 6= stopped) ∧ (sov.mode 6= out of the way))

, (1)

where sev refers to the emergency vehicle, sov to any other vehicle, and d toa threshold distance. This equation expresses the fact that the safety constraintswill not be violated if a vehicle and an emergency vehicle are far enough away, orthe emergency vehicle is stopped, or the vehicle is out of the way of the emergencyvehicle.

4.2 Ensuring the safety constraints

High-level system-wide safety constraints, while being simple and quite intuitiveto state, are not easily exploitable as such. Comhordu introduces a number ofabstractions that enables to deduce the necessary and sufficient requirements onindividual entities’ behaviour so that these safety constraints will not be violated.

4.2.1 Responsibility

For every state incompatibilities between entities, one of the entities needs toensure that the incompatibility will not occur. This entity is responsible for theincompatibility. For example, emergency vehicles are responsible to ensure thatthey do not collide with other vehicles.

Responsibility might be attributed a priori or in real-time, and might be trans-ferred. However, at any time, at least one entity must be responsible for eachpossible incompatibility. This notion of responsibility allows to distribute the dutyof ensuring safety constraints over entities.

An entity responsible for an incompatibility needs to foresee when the incom-patibility might happen in order to prevent it. Occurrences of incompatibilities canbe deduced from the modes of the different entities.

4.2.2 Mode compatibility

A set of modes (m1, m2, ..., mn) ∈ M1 × ...×Mn is compatible if, when some en-tities are simultaneously in these modes, their states are always compatible. GivenSi,m ⊆ Si a set of states of the entity ei in which it is in mode m ∈ Mi, modecompatibility of the modes m1, m2, ..., mn of entities e1, e2, ..., en can be defined as:

Cm(m1, m2, ..., mp) iff

∀(s1, s2, ..., sn) ∈ S1,m1× ... × Sn,mn

, Cs(s1, s2, ..., sn) .

For example, the modes out of the way of a vehicle and going at vi of an emer-gency vehicle are compatible because when they are in these modes, their statesare always compatible.

While the notion of state incompatibility captures whether the safety constraintsare being violated at a given time, mode compatibility enables to predict that no


incompatibility will happen if entities are in these given modes. Note that if themodes of a set of entities are not compatible, it does not imply that the safetyconstraints will be violated. For example, the modes travelling of a vehicle andgoing at vi of an emergency vehicle are not compatible, as entities might collideinto each other when they are in these modes. However, if they are far enoughapart, the safety constraints will not be violated.

A mode of an entity ei is said to be a fail-safe mode if ei can remain in thismode to ensure that the incompatibility for which it is responsible will not happen.For example, the mode stopped is a fail-safe mode for emergency vehicles.

4.2.3 Coordination primitives

To ensure that no state incompatibility will happen, a responsible entity canuse three primitives: it can adapt its behaviour, delay its own actions, or transferits responsibility.

Adapting its behaviour (adapt) A responsible entity can obtain information aboutthe modes that other entities can be in by both previous knowledge and in real-time. Using this information, a responsible entity can adapt its behaviour, e.g.,change mode, to always be in a mode that ensures that the safety constraints willnever be violated.

Delaying actions (delay) A responsible entity can ensure that the incompatibilityfor which it is responsible will not happen by delaying an action that can triggerthis incompatibility, e.g., delay switching to a mode in which an incompatibilitymight occur. The action can be delayed until either the responsible entity getsinformation that it is safe to undertake it, or it has warned all entities that it willundertake it.

Transferring responsibility (transfer) The last means that can be used by aresponsible entity to ensure that the incompatibility for which it is responsiblewill not occur is to warn other entities that the incompatibility might occur. Theresponsible entity might include its state and mode in the warning message. Theother entities are expected to change their behaviour to avoid the incompatibilityand can use information contained in the warning message to do so. Warningmessages need to be sent periodically over a proximity that is wide enough toensure that entities approaching will be notified early enough so that they will havetime to react.

An entity sending a message receives feedback about the delivery area within atime bound, but not whether there was any entity within this area that actuallyreceived the message. Therefore, entities that receive the message become respon-sible to ensure that no incompatibility arises with the sender, but this transfer ishowever only partial, as the sender remains responsible for the incompatibility inrelation to other entities.


4.3 Translating the safety constraints

In this section, we introduce contracts and zones, which build on responsibility,mode compatibility and the coordination primitives to allow the translation of thesafety constraints into requirements on the behaviour of entities.

4.3.1 Contracts between entities

Three types of contracts between entities exist and we detail each of them below.

Contract without transfer The responsible entity does not transfer its responsibil-ity, and must always ensure that the safety constraints are not violated, by adaptingits behaviour if necessary. Other entities do not need to be aware of the contract.Therefore, the only coordination primitives that can be used are adapt and delay

and are used only by the responsible entity.

Contract without feedback The responsible entity must warn other entities at leasttwarning in advance when the safety constraints are liable to be violated. Otherentities must be able to react within this twarning to ensure that no incompatibilitywill happen. For this contract, the responsible entity can use any coordinationprimitive, while other entities are restricted to adapt.

Contract with feedback In this contract, the responsible entity must also warnother entities at least twarning in advance when the safety constraints are liable tobe violated, but entities can in addition provide feedback to the responsible entitywhen they cannot adapt their behaviour. In turn, the responsible entity must alsobe able to react to ensure that no incompatibility will happen, and this withintwarning − tfeedback. Other entities must be able at any time either to react withintwarning to a message from a responsible entity, or to communicate within tfeedback

to this entity. In this contract, both responsible and other entities can use the threeprimitives.

The use of the three primitives by both responsible entities (R) and others (O)in the three contracts is described in Table 1.

Table 1 Use of the primitives by the contracts

Contract adapt delay transfer

Without transfer R R -

Without feedback R, O R RWith feedback R, O R, O R, O

In the emergency vehicle warning system, if emergency vehicles are initiallyresponsible for avoiding collisions with other vehicles, the contract without feedbackbetween emergency vehicles and other vehicles could be used: emergency vehicleshave to warn other vehicles early enough before their arrival, so that other vehiclesget out of their way.


4.3.2 Zones

The contracts between entities can be translated into geographical zones: thesafety and consistency zones, and the critical coverage.

Safety zone The states of all the entities must be compatible at all times, but thesafety constraints actually impose constraints only on specific states, typically whentwo entities are “close”. For this reason, the safety zone, denoted SZ, is definedas the set of positions of entities in which their states are liable to be incompatiblewith those of the responsible entity.

Consistency zone If a responsible entity foresees that an entity could be in astate that is not compatible with its own state when that entity enters its SZ, theresponsible entity can choose to transfer its responsibility. In this case, it mustdo so early enough, so that the incoming entity have time to adapt its behaviour(either by not entering the safety zone, or by changing its mode) to prevent theincompatibility. The zone in which the responsibility must be transfered is calledthe consistency zone of the mode m, denoted CZ(m).

Critical coverage If the responsible entity chooses to transfer its responsibility toensure that all incoming entities have an accurate view of the state of the respon-sible entity when entering CZ(m), timely communication must be guaranteed in azone CC(m) around CZ(m). This corresponds to the critical coverage associatedwith mode m of the responsible entity. Upon failure of communication (i.e., whenthe critical coverage of m is not covered), a responsible entity needs to adapt itsbehaviour, by entering a mode whose critical coverage is covered. The differentzones are illustrated in Figure 2.

4.3.3 Deriving requirements on entities’ behaviour

Requirements on entities’ behaviour can be systematically derived from thecontracts between entities. These requirements describe the conditions that anentity must fulfil before transitioning to or remaining in a mode. These conditionsare expressed in terms of:

• a zone in which an entity must be able to communicate to switch to or remainin a mode (i.e., critical coverage for this mode),

• the advance warning it must give to other entities before switching to a givenmode (i.e., the value of twarning),

• the reaction it must have when receiving a message, depending on the contentof the message (typically, switching to a mode and/or sending a message).

The conditions can all be automatically derived from the contract type, as a func-tion of the contract parameters (e.g., twarning or tfeedback), the values of which areapplication-specific.


5 Emergency vehicle warning system

In this section, we show how an emergency vehicle warning system using real-time feedback can be designed with Comhordu. The system returns the maximumspeed at which the emergency vehicles can drive to ensure road safety given cur-rently available communication. When timely communication cannot be guaran-teed, the new speed at which it is safe to drive is provided to the emergency vehiclesin real-time so that they can negotiate traffic safely as some vehicles might be intheir way. Our emergency vehicle warning system therefore allows to reduce de-lays when the quality of communication is sufficient, while guazranteeing that noaccident happens as long as the requirements are respected.

5.1 Specifying the safety constraints

The first step in using the coordination model is to formalise the safety con-straints of the emergency vehicle warning system.

5.1.1 Scenario, modes and states

In the emergency vehicle early-warning system, an emergency vehicle informsother vehicles of its arrival. Upon reception of such a message, vehicles attemptto free the way for the emergency vehicle, and if not possible, send a messageback to the emergency vehicle to inform it of the situation. The emergency vehiclecan therefore regulate its speed depending on the achievable communication and,potentially, feedback from other vehicles.

As previously discussed, there are two types of entities in this system: emergencyvehicles and other vehicles, and the goal is for emergency vehicles to drive as fastas possible to their destination while the goal of the other vehicles is to makeprogress safely towards their destination. The modes of the emergency vehicles arethe following: stopped, {going at vi, accelerating to vi, braking to vi}i∈[1,n];and the other vehicles can be modelled with the following modes: travelling,getting out of the way, and out of the way. The behaviour of the two entitiesand the transitions between their modes are shown in Figures 3 and 4. The statesof the two entites can be described by their mode, their position and their speed:Mode x Position x Speed.

With these definitions, the safety constraint that emergency vehicles must notcrash into other vehicles at any time can be expressed as a condition on the stateof the entities, as shown in Equation 1 (see Section 4.1.3).

5.2 Ensuring the safety constraints

Once the safety constraints have been formalised, the compatibility between themodes of the entities can be deduced. Table 2 presents the mode compatibility andshows that stopped and out of the way are the fail-safe modes of the emergencyvehicle and the other vehicles respectively.

To allow vehicles to make progress when they are not in the vicinity of emergencyvehicles, emergency vehicles are made responsible for preventing incompatibilities.Two types of contract are then possible.


Table 2 Mode compatibility

Emergency Vehiclestopped acc. brak. going

Other Vehicle to vi to vi to vi

travelling X ✕ ✕ ✕

getting out

of the way X ✕ ✕ ✕

out of the way X X X X

Contract without feedback If we choose a contract without feedback between theemergency vehicle and the other vehicles, the emergency vehicle has to warn theother vehicles early enough before its arrival, so that they will get out of its way.For this purpose, the emergency vehicle sends a transfer message containing thecurrent time, position and velocity of the emergency vehicle, and a description ofwhat action it is planning to take (e.g., to accelerate): <time, position, speed,

actionPlanned>. The other vehicles use the information in the message to getout of the way. However, if communication degrades and the coverage goes belowthe critical coverage of its current mode, the emergency vehicle is notified withintfeedback that it should slow down. By reducing its speed, the emergency vehicle willenter a mode whose critical coverage is currently covered and will therefore remainable to notify other vehicles that it arrives, and this at least twarning in advance. Ifthe size of the actual coverage eventually reaches zero, then the emergency vehiclehas to stop.

Contract with feedback Alternatively, a contract with feedback can be chosen forthe emergency vehicle warning system. This contract enables a vehicle to replyto the transfer message from the emergency vehicle if it prefers not to get out ofthe way. Note that it is unlikely that this vehicle cannot communicate with theemergency vehicle, as it has just received a message from it. If it cannot reply, thenit has to get out of the way. Upon reception of a feedback message from a vehicle,the emergency vehicle slows down until the vehicle gets out of the way or until theemergency vehicle finds another route to reach its destination.

In both contracts, when communication improves, the emergency vehicle is in-formed in real-time of its new maximum speed and can accelerate safely.

A contract with feedback is more suited for this system because it does not relyon the assumption that vehicles are always able to get out of the way of emergencyvehicles.

5.3 Deriving requirements on entities’ behaviour

Comhordu allows to derive the requirements on the behaviour of emergencyvehicles and other vehicles automatically, given a chosen contract. For example, thesize of the consistency zone CZi for the modes going at vi, accelerating to vi,and braking to vi-1 can be derived:

CZi = SZ + twarning · vi (2)


with SZ = d, the safety distance that emergency vehicles must maintain to othervehicles. This derives from the fact that the contract between vehicles and emer-gency vehicles states that emergency vehicles must warn vehicles at least twarning

before arriving at their location.Similarly, the expression of the critical coverage CCi of the modes going at vi,

accelerating to vi, and braking to vi-1 can be derived:

CCi = (present + period) · vi + max(

CZi,

(

adaptNotif + R reaction(vi))

· vi + CCi−1

)

, (3)

where present, period, and adaptNotif are the space-elastic model parameters,and R reaction(vi) is the time required for an emergency vehicle to brake from vi

to vi−1. This illustrates that emergency vehicles travelling at speed vi must sendmessages to a zone that is big enough to ensure that (i) other vehicles have timeto receive a message before entering the consistency zone, (ii) if a message is notdelivered, the emergency vehicle has time to be notified and slow down, beforesending another message.

Comhordu also allows to derive requirements for an emergency vehicle to accel-erate safely from vi to vi+1: the critical coverage CCi+1 must be covered, and itmust warn vehicles at least:

∆ = msgLatency + max(twarning, adaptNotif) (4)

in advance, where msgLatency and adaptNotif are parameters of the space-elasticmodel. Thus, an emergency vehicle must warn vehicles when it intends to ac-celerate, early enough so that they have time to avoid it, and that it can cancelaccelerating if the message has not been delivered in a big enough zone.

These conditions can be expressed on the transitions between modes, see Figure5 and 6.

To summarise, the emergency vehicle warning system provides a speed vi whoseCCi is currently covered. When the coverage increases and becomes greater thatCCi+1, it waits for a message sent at least ∆ ago before accelerating to vi+1. Uponreception of a transfer message from an emergency vehicle, vehicles must ensurethat they do not collide into it, by either getting out of its way within twarning orsending a feedback message within tfeedback −msgLatency. The emergency vehicleshould stop within twarning − tfeedback after receiving the feedback. The values ofthe contract parameters twarning and tfeedback must be carefully chosen so that theaforementioned conditions are respected.

5.4 Evaluation

We have presented the requirements on the behaviours of both emergency andother vehicles to ensure that emergency vehicles can safely rely on wireless commu-nication to travel faster. Wireless communication, especially when it is multi-hop,i.e., relayed by other vehicles or the infrastructure, can cover a larger range. Forexample, experiments with an implementation of the space-elastic model (Hughes,2006) have shown that low jitter can be guaranteed for delivery over 3 hops, which


can correspond to up to 750m using IEEE 802.11b. Using Equation 2 and 3, andthe values twarning = 30 s, period = 2 s, present = adaptNotif = 0.5 s, this wouldallow emergency vehicles to travel at a speed of 80 km/h, provided that other ve-hicles can get out of their way within the 30 s warning. While this might not beachieved all the time, it is a very promising result, especially as traffic lights couldalso use the messages to give priority to the direction of the approaching emergencyvehicle.

Moreover, we compared the maximum speed that emergency vehicles can driveusing a warning system with feedback relying solely on wireless communication,with the velocity that can be achieved with a similar warning system withoutfeedback. As emergency vehicles do not have guarantees that their messages arereceived in a warning system without feedback, they have to use audible or visiblewarnings and their speed is limited by their line of sight. Therefore, for the warningsystem without feedback, we distinguished urban environments (UE) where thedriver’s view is likely to be obstructed from rural environments (RE) where thehorizon is more likely to be unobstructed. The warning system with feedbackshould however function similarly in urban and rural environments since it doesnot rely on the driver’s horizon.

For this evaluation, we used 120km/h for the maximum velocity of emergencyvehicles (vmax), v varies between 0 and vmax by increments of 10 km/h, and the otherparameters have the values specified above. The warning system with feedback isexpected to enable a higher velocity for emergency vehicles when the size of theactual coverage is large compared to similar systems without feedback. When theactual coverage is small, the warning system using sirens is expected to be moreeffective.

The variations of the maximum speed over the size of the actual coverage aredepicted in Figure 7. The figure shows that when the coverage is above 350m,emergency vehicles using feedback can drive faster than without feedback in urbanenvironments. In rural environments, however, the threshold is slighty higher at850m. The slackening of the rate of increase of speed for emergency vehicles usingfeedback above 90 km/h is due to the delivery zone required to react safely to anadaptation notification becoming bigger than the consistency zone (c.f., Equation3).

Our evaluation shows that using feedback allows emergency vehicles to travelfaster when communication is sufficient. This system used in conjunction withtraditional systems allows emergency vehicles to gain precious seconds. The mainshortcoming of our emergency vehicle early-warning system is the assumption thatvehicles are all equipped with wireless communication capabilities, but with thewidespread adoption of inter-vehicle communication (Khaled et al., 2005) we envi-sion that this limitation will soon be overcome.

6 Conclusion

In this paper, we presented a novel emergency vehicle early-warning system thatenables emergency vehicles to use new communication technologies to travel faster,which can be crucial in emergency situations. The use of a real-time communicationmodel with feedback allows emergency vehicles to rely on wireless communication


when it is sufficiently good. In these conditions, they send messages to vehicleson their path to warn them of their arrival, and because the range of wirelesscommunication can be significantly higher than the line of sight, emergency vehiclescan travel faster. When the quality of real-time communication is not sufficient,emergency vehicles are notified and can slow down and revert to the traditionalmethod of sirens and beacons, hence ensuring the safety of both emergency vehiclesand other vehicles.

AKNOWLEDGEMENTS

The authors are grateful to Science Foundation Ireland for their support of thework described in this paper under Investigator award 02/IN1/I250 between 2003and 2007.

Figure 1 Different coverages of the space-elastic model

Figure 2 Definitions of the different zones

stopped

accelerating _to_v1

braking _to_v0

v = 0

going_at_v1 going_at_vi

accelerating_to_vj

braking _to_vi

v = v i

... going_at_vj ...

v = v 1 v = v j

Figure 3 Modes of emergency vehicles


Figure 4 Modes of vehicles

Figure 5 Modes of emergency vehicles with derived requirements

Figure 6 Modes of vehicles with derived requirements

Figure 7 Achievable speed versus actual coverage size


References

Baber, J., Kolodko, J., Noel, T., Parent, M., and Vlacic, L. (2005). Cooperativeautonomous driving: Intelligent vehicles sharing city roads. IEEE Robotics &Automation Magazine, 12(1):44–49.

Bouroche, M., Hughes, B., and Cahill, V. (2006a). Building reliable mobile applica-tions with space-elastic adaptation. In Mobile Distributed Computing workshop(MDC 2006).

Bouroche, M., Hughes, B., and Cahill, V. (2006b). Real-time coordination of au-tonomous vehicles. In IEEE Conference on Intelligent Transportation Systems(ITSC 06).

Brown, L. H., Whitney, C. L., Hunt, R. C., Addario, M., and Hogue, T. (2000).Do warning lights and sirens reduce ambulance response times? PrehospitalEmergency Care, 4(1):70–74.

Casturi, R. (2000). A Macroscopic Model for Evaluating the Impact of EmergencyVehicle Signal Preemption on Traffic. PhD thesis, Faculty of Virginia PolytechnicInstitute.

Code, K., Image, R., McKenna, L. H., Images, V. P., and Class, P. (2006). Emer-gency warning system for approach of right of way vehicle. United States Patent.

Corporation, R. T. (2002). Emergency vehicle automatic crash notification andevent reporting technology. White Paper.

Dotzer, F., Kohlmayer, F., Kosch, T., and Strassberger, M. (2005). Secure commu-nication for intersection assistance. In 2nd International Workshop on IntelligentTransportation, Hamburg, Germany.

Durresi, M., Durresi, A., and Barolli, L. (2005). Emergency broadcast protocol forinter-vehicle communications. In 11th International Conference on Parallel andDistributed Systems, volume 2, pages 402–406.

Eisenberg, M. S. (1998). Defibrillation: the spark of life. Scientific American.

Ewing, J. L. and Zubiel, S. T. (2006). Emergency vehicle warning system. UnitedStates Patent.

Farkas, K., Heidemann, J., Iftode, L., Kosch, T., Strassberger, M., Laberteaux,K., Caminiti, L., Caveney, D., and Hada, H. (2006). Vehicular communication.IEEE Pervasive Computing, 5(4):55–62.

Hughes, B. (2006). Hard Real-Time Communication for Mobile Ad Hoc Networks.PhD thesis, Dept. of Computer Science, Trinity College Dublin.

Julien, C. and Roman, G.-C. (2007). Egospaces: Facilitating rapid development ofcontext-aware mobile applications. IEEE Transactions on Software Engineering.To appear.


Khaled, Y., Ducourthial, B., and Shawky, M. (2005). Ieee 802.11 performances forinter-vehicle communication networks. In IEEE Vehicular Technology Confer-ence, volume 5, pages 2925–2929.

Kolodko, J. and Vlacic, L. (2003). Cooperative autonomous driving at the intelli-gent control systems laboratory. IEEE Intelligent Systems, 18(4):8–11.

Lee, W.-H., Jeng, B.-S., Tseng, S.-S., and Wang, C.-H. (2004). Electronic tollcollection based on vehicle-positioning system techniques. In IEEE InternationalConference on Networking, Sensing and Control, volume 1, pages 643–648.

Little, T. D. C. and Agarwal, A. (2005). An information propagation schemefor vehicular networks. In IEEE Intelligent Transportation Systems Conference,Vienna, Austria.

Mayhew, G. L. and Shirkey, K. L. (1992). Communication architectures support-ing proactive driver safety. In Intelligent Vehicles Symposium, pages 370–377,Detroit, MI, USA.

Miyawaki, M., Yamashiro, Z., and Yoshida, T. (1999). Fast emergency pre-emptionsystems (fast). In International IEEE Conference on Intelligent TransportationSystems, pages 993 – 997.

Mock, M. (2004). On the Real-Time Cooperation of Autonomous Systems. Fraun-hofer Series in Information and Communicatoin Technology. Shaker Verlag,Aachen.

Murphy, A. L., Picco, G. P., and Roman, G.-C. (2001). Lime: A middleware forphysical and logical mobility. In Proceedings of the International Conference onDistributed Com puting Systems (ICDCS’01), pages 524–533. IEEE ComputerSociety.

NASA (2001). Nasa technology tested on california roads. NASA Tech Briefs.

Nett, E., Gergeleit, M., and Mock, M. (2001). Mechanisms for a reliable coop-eration of vehicles. In Proceedings of the IEEE International Symposium onHigh-Assurance Systems Engineering (HASE’01), pages 75–81. IEEE ComputerSociety.

Pallottino, L., Scordio, V. G., Frazzoli, E., and Bicchi, A. (2007). Decentralizedcooperative policy for conflict resolution in multi-vehicle systems. IEEE Trans-actions on Robotics. To appear.

Santos, R. A., Edwards, R. M., and Seed, N. L. (2004). Supporting inter-vehicularand vehicle-roadside communications over a cluster-based wireless ad-hoc rout-ing algorithm. In International Symposium on Information and CommunicationTechnologies, pages 1–6, Cancun, Mexico.

Schemmer, S., Nett, E., and Mock, M. (2001). Reliable real-time cooperationof mobile autonomous systems. In Proceedings of the Symposium on ReliableDistributed Systems ( SRDS 2001), pages 238–246. IEEE Computer Society.


Transportation Research Board (2006). Traffic signal preemption for emergencyvehicles: A cross-cutting study. Transportation Research Board of the NationalAcademies.

Tsugawa, S. (2002). Inter-vehicle communications and their applications to intel-ligent vehicles: an overview. In IEEE Intelligent Vehicle Symposium, volume 2,pages 564– 569.

Xu, Q., Mak, T., Ko, J., and Sengupta, R. (2004). Vehicle-to-vehicle safety messag-ing in dsrc. In 1st ACM International Workshop on Vehicular Ad Hoc Networks,pages 19–28, Philadelphia, PA, USA.

Yin, J., ElBatt, T., Yeung, G., Ryu, B., Habermas, S., Krishnan, H., and Talty, T.(2004). Performance evaluation of safety applications over dsrc vehicular ad hocnetworks. In First ACM Workshop on Vehicular Ad Hoc Networks, pages 1–9,Philadelphia, PA, USA.

Documents

Modelling an Emergency Vehicle Early-Warning System using ... · ﬁre trucks and police vehicles) face a growingrisk to their occupants’ personal safety while approaching the scenes